Phorpiex malware spreads GandCrab phishing emails

Posted on 2018-05-29 by Adam Swanda

Introduction

After analyzing the on-going GandCrab email distribution campaign, we at InQuest Labs decided to look further into the emails themselves and exactly how this malware is being propagated. Taking a second look at one of the payloads from our last analysis we found that the Phorpiex malware family acts as an email spreader for sending phishing emails with attachments. Immediately this jumped out at us as the culprit that is very likely the malware causing so much havoc across Internet mailboxes these past weeks.

By taking a closer look at the malware named in a previous blog post as "Trik" or Trik.pdb", we have now identified this as the malware family Phorpiex. Due to the families email spreader capability and unique strings found in the malware, it is highly likely to be responsible for the distribution of the GandCrab phishing campaigns we've seen in-the-wild over the past several weeks to months.

Phorpiex as a malware family has been around for several years and hasn't changed much in purpose, functionality, or code from the older samples we discovered. The primary goal is Phorpiex is to spread emails, either with or without attached files and attempt to brute force SMTP credentials. These actions are triggered by commands sent to the infected host using a built-in IRC bot, which connects to a hard-coded Command and Control server. The malware itself is not incredibly advanced, has minimal evasion techniques, is often not packed during delivery, and is not very subtle when it comes to dropping files on disk or using hard-coded strings where more advanced malware families would be using randomized characters.

Some more recent campaigns have also seen Phorpiex being used to distribute the Pony and Pushdo malware families, though with available data GandCrab appears to be the front-runner in recent months.

Family History

While all of our analyzed samples had the following PDB string:

C:\Users\x\Desktop\Home\Code\Trik v6.0 - WORK - doc\Release\Trik.pdb

Searching VirusTotal Intelligence for the "Trik.pdb" string reveals a significant number of samples that use the same file path with other version numbers in the Trik file path string. Some of oldest samples dating back roughly 5 years. While we are not analyzing these samples here, it is highly likely these are variants of this malware developed by the same author, and due to the frequency these samples have been uploaded to VirusTotal recently, are likely being used in another active campaign or are merely old samples that are now finally making the rounds into VirusTotal.

Some of the other older versions we found included "Trik v5.0" and "Trik v3.0". Even though the version numbers are different in these samples, the functionality and core purpose remain mostly the same.

Initial Execution

Upon execution, Phorpiex creates a copy of itself using the filename "winsvc.exe" into one of three separate directories. Other payload file names seen include "winmgr.exe". The directory is chosen by iterating over the list of options and the first one that exists, and it can write to, the payload is dropped there. The options are as follows:

C:\Windows

C:\Users\$USERNAME\%TEMP%

C:\Users\$USERNAME\

The payload also employs some minor evasion and anti-analysis techniques.
For example, if any of the following processes are found running, the payload terminates its process:

tcpview.exe

procmon.exe

netstat.exe

wireshark.exe

Also, checks are performed to see if the sample is running within a sandbox or being debugged by checking the usual "IsDebuggerPresent", and also looking for the existence of QEMU, VirtualBox, VMWare, and SandBoxie by looking for DLL names and running processes associated with these virtualization platforms. Once these checks have been passed or instead bypassed if you are debugging and patching the binary, it continues down its installation path.

Within the chosen directory explained above, a new sub-directory is created to house to payload copy. The sub-directory name is hardcoded as M-5050502652865804205. This value is likely to change in separate batches of samples, but it appears always to be prefixed by the letter "M" and followed by a - character and 19 digits.

If this is the payloads first run, it adds itself to the Windows registry in to persist upon reboot at the following location:

A mutex is also created but the exact string seems to vary from sample to sample.

Command & Control

The samples we analyzed used a hard-coded C&C server of 185.189.58[.]222. This is the same server seen in our previous analysis of this GandCrab campaign, and we can see the C&C server is still active in more recent samples captured in the wild.

Many other researchers, blacklist services, online sandboxes and scanners, and security vendors have also recently noted the use of this specific Command & Control server in relation to GandCrab and Phorpiex, making it clear that our discovery was indeed not an isolated case and that this malware pairing campaign has wide-spread implications for users.

The Phorpiex family uses an embedded IRC bot to communicate with this Command and Control server on TCP port 5050. The IRC bot username is created within the format of |<3 character Country Code>|[a-z]{3}. Once the bot joins the server, it will receive an instruction to join a specific channel. In the samples analyzed this channel was either "#QC" or "#SMTP", although the channel names and servers likely rotate often on a per campaign basis. Here the bot then receives commands from the botnet administrators to begin sending on phishing emails or brute forcing SMTP email addresses depending on which command is received.

The bot can also be told to download and execute an arbitrary payload from a URL, instead of spreading it via phishing emails.

The SMTP brute-forcing function can be stopped by the infected host receiving the "b.off" IRC command, while the email spreading function can be stopped by receiving the "m.off" IRC command. Also, the command "rmrf" will completely remove the Phorpiex payload from the Windows Registry and its installed directories.

Outside of IRC command and control, when HTTP requests are made to the same C&C Host or one of the decoded URLs the following HTTP User-Agent has been seen in use:

The existence of this specific user-agent seen in HTTP traffic to the IP address listed above, or when downloading Windows executable files, is a high confidence Indicator of Compromise, and the affected system should be investigated immediately.

SMTP Brute Force

Phorpiex can receive an IRC command which causes the infected host to brute force SMTP accounts from a provided list of mail servers which is received from the C&C server. Once started, the brute force functionality will attempt to use each combination of the following username and passwords, shown in the table below, for login attempts against the SMTP servers:

Username/Passwords

Usernames/Passwords

test

guest1

test1

guest123

test123

testing

info

upload

admin

tester

webmaster

testuser1

postmaster

12345

contact

123456

12345

1234567

123456

12345678

1234567

123456789

12345678

1234567890

123123

123123

test

admin

test1

admin1

test123

admin123

test1234

admin1234

info

administrator

admin

ftpadmin

admin1

ftpuser

Password1

guest1

password

guest123

1q2w3e

Password1

1q2w3e4r

passw0rd

q1w2e3r4

password

postmaster

password1

admin

q1w2e3r4

administrator

q1w2e3r4t5

test

qwerty

test1

qwerty123

test123

temp

user

temp123

testuser

test

info

test1

ftpuser

test123

ftpadmin

test1234

support

testing

backup

upload

guest

abc123

123qwe

1q2w3e

1q2w3e4r

InQuest recommends monitoring mail server logs to look for these combinations of username and password attempts as it may be an indication that a Phorpiex infected host is trying to crack into your mail server. On the inverse, high-volume outbound SMTP traffic from a workstation to multiple mail servers making multiple login attempts is another high confidence indicator that the host is infected by Phorpiex or another SMTP brute force malware.

Email Building & Spreading

Once the IRC bot receives a specific command from the C&C server, with the contents being an encoded URL, a process is started on the infected host to decode that string and retrieve the arbitrary file located at the decoded URL. This file is then built into a .zip file which will ultimately be attached to the phishing email. The vast majority of headers and some email body content is created from randomized choices of hard-coded strings or randomly created strings of a certain length, such as Subject line, Email body signature, Received headers, Mailer-ID, and attachment filenames.

The email will use one of the following subject lines, with a randomized string of digits after the "#" sign:

Document #[0-9]{4}

Your Document #[0-9]{4}

Invoice #[0-9]{4}

Payment Invoice #[0-9]{4}

Your Order #[0-9]{4}

Payment #[0-9]{4}

Ticket #[0-9]{4}

Your Ticket #[0-9]{4}

The following message body is used in the emails and is hard-coded into the payloads:

Dear Customer,
to read your document please open the attachment and reply as soon as possible.
Kind regards,
[A-Z]{3} Customer Support

Other crafted email headers, mentioned above, that are good candidates for detection within mail server, Yara, or IDS signatures include:

The public IP address mentioned above is received by contacting the public IP service "api.wipmania.com". The service "icanhazip.com" is also seen in the malware and is used for the same purpose within a variation of the email spreading command.

It is of some note that the way in which these emails are built, from the payload creation and email message body to the email headers, has not changed since the early versions of the malware. Some samples may have more subject line variations than others, but besides that the email spreading functionality remains largely the same since the malwares inception.

Name Selection

The First and Last name parameters seen above are constructed by selecting two names from the names listed in the table below and then combining them to create a more realistic sender name:

Names

Names

Names

Adolfo

Deidre

James

Adolph

Deirdre

Baker

Adrian

Delbert

Gonzalez

Adrian

Delia

Nelson

Adriana

Gilda

Carter

Adrienne

Gina

Mitchell

Agnes

Ginger

Perez

Agustin

Gino

Roberts

Ahmad

Giovanni

Turner

Ahmed

Gladys

Phillips

Aida

Glen

Campbell

Aileen

Glenda

Parker

Aimee

Glenn

Evans

Aisha

Glenna

Edwards

Beulah

Gloria

Collins

Beverley

Goldie

Stewart

Beverly

Gonzalo

Sanchez

Bianca

Gordon

Morris

Bill

Hugh

Rogers

Billie

Hugo

Reed

Billie

Humberto

Cook

Billy

Hung

Morgan

Blaine

Hunter

Bell

Blair

Ignacio

Murphy

Blake

Ilene

Jackson

Blanca

Imelda

White

Blanche

Imogene

Harris

Bobbi

Ines

Martin

Bobbie

Tania

Thompson

Bobby

Tanisha

Garcia

Bonita

Tanner

Martinez

Bonnie

Tanya

Robinson

Booker

Tara

Clark

Boris

Tasha

Rodriguez

Boyd

Taylor

Lewis

Brad

Taylor

Walker

Bradford

Teddy

Hall

Bradley

Terence

Allen

Bradly

Teresa

Young

Brady

Teri

Hernandez

Deann

Terra

King

Deanna

Bailey

Wright

Deanne

Rivera

Lopez

Debbie

Cooper

Hill

Debora

Richardson

Scott

Deborah

Howard

Green

Debra

Ward

Adams

Deena

Torres

Smith

Brown

Peterson

Johnson

Davis

Gray

Williams

Miller

Ramirez

Jones

Wilson

Thomas

Wood

Moore

Watson

Barnes

Taylor

Brooks

Ross

Anderson

Kelly

Henderson

Price

Sanders

Coleman

Bennett

Jenkins

Payload Crafting

The payload that will ultimately be attached to the phishing email uses the name convention:

DOC[0-9]{10}.zip

This payload is crafted by first creating a file in the %TEMP% directory for a payload downloaded from the C&C server over HTTP.

The downloaded payload is saved into the %TEMP% directory and then compressed into a zip file using the naming
convention described above. In recent cases, the zipped payload has been a malicious JavaScript file, or a Word document leveraging macros to retrieve the actual GandCrab and Phorpiex malware.

Detections, Mitigations, and Remediations

InQuest customers are protected against the Phorpiex family by the following published signature:

Event ID:5000869

Name:MC_Phorpiex

Confidence:8

Severity:8

InQuest recommends detecting this phishing campaign by searching available mail server logs for variations of the email subjects, email header patterns, attachment names, sender name combinations, and the existence of the email body as described above in the section titled "Email Building & Spreading".

InQuest recommends monitoring mail server logs to look for the combinations mentioned above of username and password attempts as it may be an indication that a Phorpiex infected host is trying to crack into your mail server. Inversely, high-volume outbound SMTP traffic from a workstation to multiple mail servers making a multitude of login attempts is another high confidence indicator that the originating host is infected by Phorpiex or another SMTP brute force malware.